Cookie の設定を選択する

当社は、当社のサイトおよびサービスを提供するために必要な必須 Cookie および類似のツールを使用しています。当社は、パフォーマンス Cookie を使用して匿名の統計情報を収集することで、お客様が当社のサイトをどのように利用しているかを把握し、改善に役立てています。必須 Cookie は無効化できませんが、[カスタマイズ] または [拒否] をクリックしてパフォーマンス Cookie を拒否することはできます。

お客様が同意した場合、AWS および承認された第三者は、Cookie を使用して便利なサイト機能を提供したり、お客様の選択を記憶したり、関連する広告を含む関連コンテンツを表示したりします。すべての必須ではない Cookie を受け入れるか拒否するには、[受け入れる] または [拒否] をクリックしてください。より詳細な選択を行うには、[カスタマイズ] をクリックしてください。

設定
お問い合わせ
フィードバック
AWS Documentation
今すぐ無料サインアップ »

Restrict permissions with IAM role policy statements

PDF
RSS
フォーカスモード
Restrict permissions with IAM role policy statements - AMS Advanced User Guide
このページはお客様の言語に翻訳されていません。 翻訳のリクエスト

AMS uses an IAM role to set user permissions through your federation service.

Single-Account Landing Zone AMS: See SALZ: Default IAM User Roles.

Multi-Account Landing Zone AMS: See MALZ: Default IAM User Roles.

An IAM role is an IAM entity that defines a set of permissions for making AWS service requests. IAM roles are not associated with a specific user or group. Instead, trusted entities assume roles, such as IAM users, applications, or AWS services such as Amazon EC2. For more information, see IAM Roles.

You can scope down the desired policy for a user assuming the AMS IAM user role by using the AWS Security Token Service (STS) API operation AssumeRole by passing a more restrictive IAM policy under the Policy request field.

Example policy statements that you can use to restrict CT access are provided next.

Using your configured Active Directory (AD) groups, and the AWS Security Token Service (STS) API operation AssumeRole, you can set permissions for certain users or groups, including restricting access to certain change types (CTs). You can use the policy statements shown below to restrict CT access in various ways.

AMS change type statement in the default IAM instance profile that allows access to all AMS API calls (amscm and amsskms) and all change types:

{
    "Sid": "AWSManagedServicesFullAccess",
    "Effect": "Allow",
    "Action": [
        "amscm:*",
        "amsskms:*"
    ],
    "Resource": [
        "*"
    ]
}

  1. Statement to allow access and all actions for only two specified CTs, where "Action" is the AMS API operations (either amscm or amsskms), and "Resource" represents existing change type IDs and version number:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action":amscm:*,
      "Resource": [ "arn:aws:amscm:*:*:changetype/ct-ID1:1.0",
                    "arn:aws:amscm:*:*:changetype/ct-ID2:1.0"]
    }
  ]
}

  2. Statement to allow access for CreateRfc, UpdateRfc, and SubmitRfc on only two specified CTs:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action":["amscm:CreateRfc",
                "amscm:UpdateRfc",
                "amscm:SubmitRfc"],
      "Resource": ["arn:aws:amscm:*:*:changetype/ct-ID1:1.0",
                    "arn:aws:amscm:*:*:changetype/ct-ID2:1.0"]
    }
  ]
}

  3. Statement to allow access for CreateRfc, UpdateRfc, and SubmitRfc on all available CTs:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action":["amscm:CreateRfc",
                "amscm:UpdateRfc",
                "amscm:SubmitRfc"],
      "Resource":"*"
    }
  ]
}

  4. Statement to deny access for all actions on restricted CT and allow on other CTs:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action":amscm:*"
      "Resource":"arn:aws:amscm:*:*:changetype/ct-RetrictedID:1.0"
    },
    {
      "Effect": "Allow",
      "Action":amscm:*"
      "Resource":"*"
    }
  ]
}
プライバシーサイト規約Cookie の設定
© 2025, Amazon Web Services, Inc. or its affiliates.All rights reserved.